The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade fast-uri to version 3.1.3, 4.0.1 or higher.
fast-uri is a Dependency-free RFC 3986 URI toolbox
Affected versions of this package are vulnerable to Interpretation Conflict in its parse(), normalize(), and equal() functions, which call the nonexistent URL.domainToASCII() static method and silently swallow the resulting TypeError into parsed.error, leaving an internationalized hostname in its unconverted Unicode form. An attacker can steer host-based security policies to an unintended destination by supplying a URL with a Unicode or fullwidth hostname such as http://127。0。0。1/, which is parsed with the host left as 127。0。0。1 while Node's WHATWG URL parser and fetch() canonicalize it to 127.0.0.1. Exploitation requires the application to use this library for host-based decisions such as denylists, loopback filtering, or redirect and proxy validation before passing the URL to a downstream consumer that canonicalizes the host differently.